Am I hacked? Silly me

Rani

n3wb
Joined
Nov 12, 2015
Messages
11
Reaction score
0
Hey peeps, So I jumped on here about a year ago asking if I should upgrade my 5 DS-2CD2332's 5.0 firmware but I was not made aware of the backdoor hack specifically (with all due respect to "alastairstevenson" who I'm sure had my best interests at heart) and I should have researched more into it, so I left everything and everything was running fine. Until...

A couple of days ago I changed the default password and activated RTSP to integrate the cams with "Home Assistant". I had also just purchased the Netgear Orbi which had UPnP activated by default. Then within a day I lost all my 5 cameras (not visible by NVR or web)

I was unaware of the backdoor hacks until this problem happened and I researched into it.
I'm now panicking and don't know where to start troubleshooting the problem

Where do I go from here?
If/when I do get my cams back, will updating the firmware get rid of all previous hacks?

There is this part of the article Hikvision flaw could be remotely exploited to hijack cameras, DVRs

```
  • Take over the user’s account after resetting their password. After that, even if the user tried factory resetting their device, it would not be “unbound” from the attacker’s account without contacting Hikvision. Stykas added, “If we change the password we can use the devices menu on the Hik-connect android app and manage the device (update firmware and brick it or do whatever we want) without any password given.”```
How accurate is that? Should I just call my supplier and get the cams replaced?

Thanks in advanced
 
Last edited:

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Hey peeps, So I jumped on here about a year ago asking if I should upgrade my 5 DS-2CD2332's 5.0 firmware but I was not made aware of the backdoor hack specifically (with all due respect to "alastairstevenson" who I'm sure had my best interests at heart) and I should have researched more into it, so I left everything and everything was running fine. Until...

A couple of days ago I lost all my cameras (not visible by NVR or web)

I was unaware of the backdoor hacks until this problem happened and I researched into it.
I'm now panicking and don't know where to start troubleshooting the problem

Where do I go from here?
If/when I do get my cams back, will updating the firmware get rid of all previous hacks?

There is this part of the article Hikvision flaw could be remotely exploited to hijack cameras, DVRs

```
  • Take over the user’s account after resetting their password. After that, even if the user tried factory resetting their device, it would not be “unbound” from the attacker’s account without contacting Hikvision. Stykas added, “If we change the password we can use the devices menu on the Hik-connect android app and manage the device (update firmware and brick it or do whatever we want) without any password given.”```
How accurate is that? Should I just call my supplier and get the cams replaced?

Thanks in advanced
Don't misrepresent what Alastair told you. You didn't read his response. He warned you about the hacking. Running ancient firmware on DS-2CD2332 , worth upgrading?
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
940
Location
CT
to @alastairstevenson defense, he did say "But if it's running AOK, and not exposed to hacking, probably best left as-is."

Have you tried calling Hikvision support as the article mentions and have the cams unbound from the attacker's account?
 

Rani

n3wb
Joined
Nov 12, 2015
Messages
11
Reaction score
0
Don't misrepresent what Alastair told you. You didn't read his response. He warned you about the hacking. Running ancient firmware on DS-2CD2332 , worth upgrading?
Yes apologies, I'm not blaming him at all. I admit it was my fault for not doing my due diligence

to @alastairstevenson Have you tried calling Hikvision support as the article mentions and have the cams unbound from the attacker's account?
No not yet, I was thinking of calling my supplier to see if he knows the problem.
I'm uncertain if it is a hack yet as my cams are inaccessible
So there's nothing about the hack that can be permanent as long as I contact hikvision?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
If it's a password no longer working -
A hacked camera is often left with these passwords for you to try : 1111aaaa and asdf1234
If neither of those work, the password can be extracted via the 'Hikvision backdoor' by pulling the configuration file.
Use this URL, from a PC with an IP address in the same range as the camera, replacing the camera IP address as needed :
http://<camera_IP_address>/System/configurationFile?auth=YWRtaW46MTEK

Zip up the resulting file, attach here, and I can decrypt and decode it to extract the password for you.

And for the future - the camera can be converted to EN / updatable such that the firmware can be upgraded to a backdoor-fixed version with this method :
Unbrick and fully upgrade your R0 / DS-2CD2x32 IP cameras -
R0 / DS-2CD2x32 BrickfixV2 brick recovery and full upgrade tool - enhanced.
Lots of people have used it - it's not too bad.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
For security reason, your cameras should not be exposed to the internet. The cameras should be block at the router. Or placed on a seperate subnet, which prevents access from the internet.
 

Dramus

Pulling my weight
Joined
May 7, 2019
Messages
323
Reaction score
229
Location
New Jersey
to @alastairstevenson defense, he did say "But if it's running AOK, and not exposed to hacking, probably best left as-is."
And by "not exposed to hacking" one suspects he meant "not (directly) exposed to the Internet."

Anything that's exposed to the Internet is, by definition, exposed to hacking. Likewise anything accessible via a poorly-secured or otherwise-exploitable WiFi system.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Yes, my terminology was a bit lacking in that response, not as explicit as it should have been.
Ta for the clarifications, folks!
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I had also just purchased the Netgear Orbi which had UPnP activated by default. Then within a day I lost all my 5 cameras (not visible by NVR or web)
This just catches so many people out!
UPnP on the router, and any device on the LAN with UPnP (eg Hikvision cameras, enabled by default) can mess with the router and allow inbound access that you don't even know about.
 

Rani

n3wb
Joined
Nov 12, 2015
Messages
11
Reaction score
0
Hey peeps, thanks very much for the replies.

@alastairstevenson I hope you didn't take offence to my OP.
In regards to the cameras, they're not accessible at all. The NVR shows no cameras, and when I navigate to the cam's original IPs there's nothing.
So It's like they've been reset back to default and unconfigured
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
No offence at all, no worries.
What does SADP show for the cameras?
Are they on the LAN or on NVR PoE ports?
If on NVR PoE ports, plug the PC into an unused port so SADP can see the cameras.
 

Rani

n3wb
Joined
Nov 12, 2015
Messages
11
Reaction score
0
So I plugged my pc straight into the Poe and sapd is showing all cams

For some reason the cams have changed their ip addresses and I guess that's why the NVR couldn't connect to them.

I can log in to the cameras with the same password I had setup which tells me that they were not hacked?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I can log in to the cameras with the same password I had setup which tells me that they were not hacked?
What IP addresses are showing?
If the cameras were all connected to the NVR PoE ports - generally they'd not be very accessible for being messed with.
But it's a bit coincidental that you changed your router and it had UPnP enabled.
For LAN-based cameras, that would be bad, they could be easily accessible.

OK, so you have access to the cameras.
With SADP you can change the IP addresses back to what the NVR PoE channels are set to, and all should work again.

In principle - cameras that get hacked could have anything changed on them, it doesn't have to be the password.
 

Rani

n3wb
Joined
Nov 12, 2015
Messages
11
Reaction score
0
Hey @alastairstevenson
Apologies for the disappearance, been really under the weather for the past few days.

I have now managed to upgrade all to latest firmware. Cameras (V5.4.5 build 170123) and NVR (V3.1.0 build 171010)

There is one thing I'm really confused about, if my cameras are attached to NVR and have 192.0.0.X IPs that does mean they're not exposed to the internet as they're on a different subnet right?
My NVR is the only thing that I want to be accessible externally and it has 192.168.1.250 IP address. What I have done is forward it's port (8000)

Which leads me to my problem. I can't seem to configure the cameras on the NVR by using the "manual" option instead of "plug-and-play" for some reason
If I select "Manual" and put in the camera's password it says "Offline(Network Abnormal)"
If I select "plug-and-play" it says "Offline(User password error.)"

I don't want to use the plug-and-play on the cameras as I'm afraid it might forward ports I don't want it to forward and make them externally accessible

I'm sorry I don't know much about networking

Here are my settings but the NVR is refusing to connect the cameras
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Apologies for the disappearance, been really under the weather for the past few days.
No problem, hope you are better now.

if my cameras are attached to NVR and have 192.0.0.X IPs that does mean they're not exposed to the internet as they're on a different subnet right?
When connected to NVR PoE ports, the cameras are by default not accessible from the LAN, although when the very useful and convenient feature 'Virtual Host' is enabled, it's possible to access the cameras from the LAN.
But they are much safer than they would be if they were on the LAN, when UPnP could be enabled on the router, and also on the cameras. That's the risky combination that must be avoided. Best disable UPnP on both.

I don't want to use the plug-and-play on the cameras as I'm afraid it might forward ports I don't want it to forward and make them externally accessible
Plug&Play won't do that, don't worry about it.

If I select "Manual" and put in the camera's password it says "Offline(Network Abnormal)"
If I select "plug-and-play" it says "Offline(User password error.)"
I don't think you've said what model of NVR you are using.
My understanding is that the cameras all disconnected from the NVR, and you found they'd changed IP addresses.
You can see all the cameras with SADP, and now know the camera IP addresses, and know the camera passwords.

To get the cameras back connected, this is what you could do.
In the NVR web GUI, note down the IP addresses as specified for each channel of the NVR.
These would normally be in the 192.168.254.x range - but you've suggested yours are 192.0.0.x Did you customise the 'Internal NIC' IP address (in the NVR VGA/HDMI interface) away from the default?
Ensure that the camera password that is set on the NVR channel matches what you know works on the cameras. The channel needs to be in Manual mode to be able to set that.

Having noted the IP addresses associated with each NVR channel, you then need to set the camera IP address to match the channel it is plugged in to.
SADP will do that, when the PC is connected to an unused NVR PoE port.

That should bring the cameras back to a connected state.
Good luck!
 
Top